Q1. You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping at the SRX240 in your network.Which three tools would you use to troubleshoot the issue? (Choose three.)
A. security flow traceoptions
B. monitor interface traffic
C. show security flow session
D. monitor traffic interface
E. debug flow basic
Answer: A,B,C
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
Q2. You have initiated the download of the IPS signature database on your SRX Series device. Which command would you use to confirm the download has completed?
A. request security idp security-package install
B. request security idp security-package download
C. request security idp security-package install status
D. request security idp security-package download status
Answer: D
Q3. You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority.Regarding this scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.
B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.
Answer: A
Explanation: Reference: Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key- infrastructure.pdf
Q4. How does the SRX5800, in transparent mode, signal failover to the connected switches?
A. It initiates spanning-tree BPDUs.
B. It sends out gratuitous ARPs.
C. It flaps the impaired interfaces.
D. It uses an IP address monitoring configuration.
Answer: B
Q5. Which action will allow an administrator to connect in band to an SRX Series device in transparent mode over SSH?
A. Use a VLAN interface.
B. Use the loopback interface.
C. Use a logical interface.
D. Use an irb interface.
Answer: D
Q6. Click the Exhibit button.
userehost# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:05:06
> to 172.16.1.1 via ge-0/0/1.0 172.16.1.0/24 *[Direct/O] 00:05:06
> via ge-0/0/1.0
172.16.1.3/32 *[Local/0] 00:05:07
Local via ge-0/0/1.0 192.168.200.2/32 *[Local/0] 00:05:07
Reject
vr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.1 /24 *[Direct/0] 00:01:05
> via ge-0/0/2.0
192.168.1.2 /32 *[Local/0] 00:01:05
Local via ge-0/0/2.0
vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.1 /24 *[Direct/O] 00:01:05
> via go-0/0/3.0
192.168.1.2 /32 *[Local/0] 00:01:05
Local via ge-0/0/3.0
User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach User 1 from Server 1.
Referring to the exhibit, which two configurations allow this communication (Choose two.)
A. [edit security nat static] user@host# show
rule-set server-nat { from zone [ untrust ]; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
}
}
}
}
}
B. [edit security nat static] user@host# show
rule-set server-nat {
from zone [ junos-host untrust ]; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
routing-instance vr-b;
}
}
}
}
}
C. [edit security nat static] user@host# show
rule-set server-nat { from zone untrust; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
routing-instance vr-a;
}
}
}
}
}
D. [edit security nat static] user@host# show
rule-set in {
from zone untrust; to zone cust-a; rule overload { match {
source-address 0.0.0.0/0;
}
then { source-nat { interface;
}
}
}
}
Answer: B
Q7. Click the Exhibit button.
user@host> show interfaces routing-instance all ge* terse InterfaceAdmin Link Proto LocalInstance
ge-0/0/0.0 up up inet 172.16.12.205/24 default ge-0/0/1.0 up up inet 5.0.0.5/24
iso A
ge-0/0/2.0 up up inet 25.0.0.5/24 iso B
user@host> show security flow session
Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781 Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452
Total sessions: 3 user@host> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, + = Both
0.0.0.0/0 *[Static/5] 04:08:52
> to 172.16.12.1 via ge-0/0/0.0 172.16.12.0/24 *[Direct/0] 04:08:52
via ge-0/0/0.0
172.16.12.205/32 *[Local/0] 4w4d 23:04:29
Loca1 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1
MultiRecv
A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.0/24 5 *[Direct/0] 00:05:04
> via ge-0/0/1.0
5.0.0.5/32 *[Local/0] 00:05:04
Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.25/32 *[Static/5] 00:02:38
to table A.inet.0
25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
25.0.0.5/32 *[Local/0] 00:02:37
Local via ge-0/0/2.0
Which statement is true about the outputs shown in the exhibit?
C. The routing instances A and B are connected using anltinterface.
D. Routing instance A’s routes are shared with routing instance B.
E. Routing instance B’s routes are shared with routing instance A.
F. The routing instances A and B are connected using avtinterface.
Answer: C
Q8. You are asked to configure your SRX Series device to support IDP SSL inspections for up to 6,000 concurrent HTTP sessions to a server within your network.
Which two statements are true in this scenario? (Choose two.)
A. You must add at least one PKI certificate.
B. Junos does not support more than 5000 sessions in this scenario.
C. You must enable SSL decoding.
D. You must enable SSL inspection.
Answer: C,D
Q9. What are three techniques to mark DSCP values on an SRX Series device? (Choose three.)
A. IDP attack action-based DSCP rewriters
B. 802.11Q
C. VLAN rewrite
D. ALG-based DSCP rewriters
E. Layer 7 application-based DSCP rewriters.
Answer: A,D,E
Q10. You must ensure that your Layer 2 traffic is secured on your SRX Series device in transparent mode.
What must be considered when accomplishing this task?
A. Layer 2 interfaces must use theethernet-switchingprotocol family.
B. Security policies are not supported when operating in transparent mode.
C. Screens are not supported in your security zones with transparent mode.
D. You must reboot your device after configuring transparent mode.
Answer: D